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(57) Abstract 

In a method for identification of a data transmission device (1, 5) in a data transmission system, a data transmission connection is 
formed between at least a first (1) and a second data transmission device (5). The identification is conducted two ways, wherein the second 
data transmission device (5) identifies the first data transmission device (1) and the first data transmission device (1) identifies the second 
data transmission device (5). The identification comprises at least the following steps: generating at least one identification message (Rl, 
R2), transmission of said identification message (Rl. R2) between the data transmission devices (1, 5), generating a check-up message 
<Cls, C2p) of said identification message (Rl, R2) in the receiving data transmission device (1, 5), sending said check-up message (Cls, 
C2p) to the data transmission device (1.5) which sent the identification message (Rl, R2), in which a verification message (Clp, C2s) is 
generated, with which the received check-up message (Cls, C2p) is compared. 
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Method for identification of a data transmission device 

The present invention relates to a method presented in the preamble of 
5 Claim 1 for identification of a data transmission device in a data trans- 
mission system, where a connection is made for transmission of data 
between a first data transmission device and a second data 
transmission device. The invention relates also to a data transmission 
system presented in the preamble of Claim 5 and to a data 
10 transmission device presented in the preamble of Claim 8. 

Systems have been developed for making various payments by data 
processing equipment, by telecommunication terminal equipment, such 
as a telephone or a mobile station, by a payment terminal, or by a so- 

15 called smart card (processor card). Particularly the payment trans- 
actions of companies are nowadays largely made through data proc- 
essing equipment of the company itself, wherein the data processing 
equipment has banking software or the like for input of the payments. 
Thus a terminal is used for input of the required information, such as 

20 the bank account number of the recipient, the sum in marks, the due 
date etc., wherein the data processing equipment makes a data trans- 
mission connection, for example via a modem and a telecommunication 
network, to the data processing equipment handling payments at a 
bank, such as mainframe. For preventing misuse, the payer must enter 

25 his or her user identification code and password at the beginning of the 
connection, wherein the data processing equipment of the bank checks 
if the given data correspond with the data recorded in the data process- 
ing equipment of the bank. If the data are identical, the data processing 
equipment of the bank will start receiving data and record the payments 

30 in its register and transfer the given sum of money on the due date from 
the account of the payer to the account of the recipient. 

For payment, the data transmission is usually made either by batch 
processing or in real time. In batch processing, the data of all the pay- 
35 ments to be made at a time are set in the memory of the data process- 
ing device, whereafter a data transmission connection is made with the 
payment server of the bank and the data is transmitted. After the 
transmission, the connection can be cut. Thus connection time is es- 
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sentially used only as long as is required for data transmission at the 
transmission rate available at the time. In real-time transmission, the 
connection is made as early as at the beginning of the session and the 
payment data are transmitted immediately to the payment server of the 
bank. After the payment instructions are entered and sent to the pay- 
ment server of the bank, the connection is cut. This alternative requires 
a longer connection time than batch processing. 

So-called smart cards or processor cards are small cards manufactured 
usually in the size of a credit card and having a microprocessor and 
electronic circuits required for its operation laminated in plastic. Further, 
the surface of the card is usually provided with electric contacts for con- 
necting supply voltages to the card and for transferring control and data 
signals between the card and its read/write device. However, systems 
have been developed for transferring the signals between the card and 
its read/write device as well as the supply voltages of the card in a 
wireless manner e.g. as high frequency electromagnetic signals. These 
methods involve the problem of transmitting a sufficiently high quantity 
of energy to the card so that the card can perform the necessary 
operations, such as checking of encryption and decryption, sufficiently 
quickly. 

Smart cards are used e.g. as charge cards in several different applica- 
tions, such as with public telephones, as coin cards, as means of pay- 
ment at public transportation means, etc. When a smart card is to be 
used as a charge card, money can be stored on its so-called electronic 
purse for example at automatic cash dispenser points having the 
equipment for controlling the smart card and charging money on the 
card. 

Figure 1b is a reduced block diagram illustrating the internal structure of 
a smart card 12, known as such. A central processing unit CPU con- 
trols the operation of the smart card 12 on the basis of a program code 
stored in the read-only memory ROM. Various user-specified data to be 
stored permanently in the memory can be stored in the electrically 
erasable programmable read-only memory EEPROM. During use of the 
smart card, the data memory RAM can be used as a temporary data 
storage. A bus adapter DATA-I/O adapts the smart card 12 to the inter- 
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face lines of the card reading device (not shown) as well as to a control 
and data line 13. The properties and function of the smart cards can be 
set by storing application software according to the use in the program 
memory of the card advantageously at the manufacturing stage. 

5 

Increased popularity of the Internet data network has given particular 
rise to the development of various payment systems in which the user 
of the Internet network can for example order goods from different 
suppliers and make payments for the orders by using the Internet data 

10 network. In addition to making orders and payments, the Internet data 
network and other data transmission systems are used to carry mes- 
sages and even confidential information. Thus the sender and receiver 
of the message should be able to make sure that the other party of the 
connection is really the intended one. However, it is very easy to 

15 eavesdrop the Internet data network and to follow communication in it, 
wherein it is also possible to forge and misuse data. It should still be 
possible to make payments and transmit other confidential information 
in a way that is protected as well as possible from outsiders. For en- 
ciphering communication, enciphering or encryption systems have been 

20 developed for data transmission systems as well as identification sys- 
tems for identification of the sender of the information e.g. in connection 
with making payments. The encryption methods are primarily based on 
the fact that each user has his or her own user code and an encryption 
key for confirming the identification of the user. This confirmation with 

25 the encryption key is also called digital signature, because this method 
is analogous to the situation in which the user pays for purchases e.g. 
with a credit card and confirms his or her identity with his or her own 
signature which the seller possibly compares with the signature on the 
I.D. card or the like of the payer. 

30 

The purpose of the digital signature is thus to identify both the user and 
the transmitted message and to secure that the content of the message 
has not changed during the transmission. Using the digital signature 
enhances security of smart card systems and other systems and other 
35 systems based on electronic payment. 

There are two main types of digital signature systems: those based on 
a secret key and those based on a public key. 
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In a system based on the secret key, the same encryption key is used 
for forming the digital signature at the sending end and for confirming 
the transmitted signature at the receiving end, wherein the operations 
5 for both encryption and confirming are substantially identical. The se- 
cret key system is also called symmetric encryption. One very well 
known encryption method using a secret key is the U.S. Federal Data 
Encryption Standard (DES). The encryption can involve either all the 
transmitted data or only some of the data, such as the user code. The 

10 encrypted information is known to the communication parties, or the 
encryption data is marked in the data to be transmitted e.g. by changing 
the value of an encryption bit. Thus it is possible at the receiving end to 
find out which parts of the received data are encrypted. At the receiving 
stage, an encryption checking key identical to the encryption key is 

15 used for confirming that the received encrypted information is correct, 
i.e. the encryption key used at the transmitting stage was identical with 
the encryption checking key used at the receiving stage. The encryption 
can be deciphered by using the encryption checking key. 

20 In encryption systems based on a public key, a pair of two keys is used, 
the first being a secret key and the second a public key. The secret key 
is used for encrypting the data to be encrypted at the transmission 
stage, and the encryption is checked using the public key at the receiv- 
ing stage. The public key can be used only for checking the encryption 

25 and for deciphering, but it is not possible to use the public key to find 
out which encryption key was used to encrypt the data. The system 
based on a public key is also called asymmetric encryption. In this sys- 
tem, the public key can be known to anybody, but the secret key is only 
known to the sender. 

30 

Consequently, systems based on the secret key require that the same 
encryption key is known both to the sender and the receiver. Thus for 
example in payment terminal applications, the payment terminal must 
contain the encryption keys of all the persons having the right to use 
35 the payment terminal, wherein such a payment terminal must be made 
very reliable and crack-proof. In practice, this means that the apparatus 
becomes very expensive and it must be mounted on its ground in a 
stationary manner and possibly also equipped with a burglar alarm or 
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the like. In this respect, the public key system is more advantageous, 
because the payment terminal or the like does not need to contain se- 
cret keys but it is sufficient that the terminal has the public keys for 
checking the encryption made with different encryption keys. For each 
5 public key there can be several secret keys, wherein the number of 
keys to be stored is substantially smaller than in systems based on the 
secret key. Further, it is not possible to use the public key to find out the 
encryption key used for encryption. On the other hand, the above-men- 
tioned encryption methods have the disadvantage that the sender can- 

10 not make sure that the receiver is the intended recipient. There is thus 
the risk of an outsider to interfere with the data transmission e.g. by 
coupling on telephone lines and forging data transmission. Further- 
more, this can be performed in a way that both the sender and the in- 
tended recipient see the situation as normal but in reality the communi- 

15 cation is made via a third party and the payment can be directed to a 
wrong account or confidential information is made known to outsiders. 

In mobile communication networks at least part of the data transmission 
is made in a wireless manner by using radio transmitters and receivers. 

20 The radio channel is a physically open resource which is available to 
anybody via suitable data transmission device. This involves security 
risks, for example eavesdropping or disclosure of the privacy of a loca- 
tion. In digital mobile communication networks, such as GSM networks, 
digital data transmission is used which is difficult to eavesdrop. Further, 

25 it is possible to use caller identification and encryption in data 
transmission. For preventing eavesdropping, encryption methods have 
been developed for digital mobile communication networks, whereby 
the speech converted to digital form and the data signal are encrypted. 
Also other information carried via the radio channel can be encrypted, 

30 such as the identification data of a mobile station (International Mobile 
Subscriber Identity, IMSI) and the identification data on the location 
(Location Area Identification, LAI). In the receiver, the encrypted signal 
is deciphered back to unencrypted speech and data. The encryption 
key and algorithm to be used in encryption is advantageously known 

35 only to the sending and receiving equipment in question, wherein the 
deciphering of the coded signal to intelligible speech and data as well 
as to processing signals of the bit stream in a violent or illegal manner 
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without the correct encryption key and algorithm is very difficult, thanks 
to the efficient encryption algorithms currently in use. 

At present, mobile stations are known which use a smart card of the 
5 type shown in Figure 1a, comprising a subscriber identity module, such 
as a SIM module 4. The SIM module comprises typically a central proc- 
essing unit (CPU), a read-only memory (ROM), an electrically erasable 
programmable read-only memory (EEPROM), and a random access 
memory (RAM). For using the mobile station, a personal identity code 
10 stored on the SIM module must be given in connection with the use of 
the mobile station, usually upon switching on the mobile station. The 
data memory of the SIM module can also be used for storing other 
user-specified information, telephone numbers, messages, etc. 

15 The most common digital mobile communication networks are so-called 
cellular networks. Figure 2 is a reduced diagram showing a mobile 
communication network known as such, in which the invention can be 
advantageously applied. The base station subsystem (BSS) of the 
mobile communication network comprises base transceiver stations 

20 (BTS) and base station controllers (BSC). The mobile station (MS) 3 is 
in a data transmission connection via the radio channel with a base 
station close to the respective location of the mobile station. The base 
station is in a data transmission connection with the base station con- 
troller. Data transmission between the base station and the base station 

25 controller is usually carried via a cable. Each base station controller op- 
erates with a group of several base stations. The base station controller 
is, in turn, in a data transmission connection with a mobile services 
switching center (MSG). The mobile services switching centers can, in 
turn, be in a data transmission connection with each other as well as 

30 with a landline communication network center (PSTN, ISDN). The in- 
formation to be transmitted is usually divided into frames containing 
control information, speech converted to digital form, data, and error 
correction information. The frame structure can have several levels, 
wherein the frames of an upper level are formed by arranging frames of 

35 a lower level. Encryption can be directed both to the control information 
and the speech and data portions. Further, the encryption can be 
carried out also in a way that different encryption keys and algorithms 
are used at different frame levels. One example of digital communica- 
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tion networks is the GSM network which has a standard defining the 
encryption methods and algorithms to be used. 

In the GSM network, a mobile originated call is set up in a way that the 
5 GSM mobile station and the GSM system network send control and 
identification signals required for call set-up to each other. In response 
to a connection request, the GSM mobile station is assigned a channel 
for signalling, if this is possible within the capacity of the GSM system 
network. On this channel, the GSM mobile station makes the GSM 
10 system network a request for speech Or data services. On the side of 
the GSM system network, this request is transmitted to the mobile 
services switching centre (MSC), in which the rights of the GSM sub- 
scriber in question are verified from the visitor location register (VLR). 

15 Upon a mobile terminated call e.g. from a landline telephone network 
subscription, the PABX of the telephone network transmits inter alia the 
telephone number of the mobile station to the mobile services switching 
centre. The MSC verifies the rights of the GSM subscriber in question 
from the home location register (HLR) and the visitor location register 

20 (VLR). Following this, the GSM system network and the GSM mobile 
station send control and identification data required for call set-up. 

Depending on the application and on the configuration of parameters, 
the visitor location register VLR can, via the mobile services switching 
25 centre, send the GSM mobile station a request for exchange of identifi- 
cation data and start of encryption. However, call set-up is possible also 
without exchange of identification data and encryption. In other words, 
the call is either encrypted or not encrypted according to the network 
parameters set by the operator of the GSM system network. 

30 

In the GSM system, encryption is made on the physical level as bit- 
specified encryption, i.e. the bit stream to be transmitted on the radio 
channel is formed by adding to the data the encryption bits that are 
generated by the A5 algorithm, known as such, using the encryption 
35 key Kc. The A5 algorithm encrypts on the physical level the data and 
signalling information to be transmitted on channels assigned for data 
transmission (traffic channel, TCH, or dedicated control channel, 
DCCH). 
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Synchronization of the messages to be transmitted is secured by con- 
trolling the A5 algorithm with specific synchronization data (COUNT). 
The synchronization data COUNT is formed on the basis of the TDMA 
5 frame number. Thus the content of each 114 bit block generated with 
the A5 algorithm depends only on the frame numbering and the encryp- 
tion key Kc. 

The encryption key Kc is preferably set up at the stage when the com- 
10 munication on the assigned channel is not yet encrypted and the mobile 
communication network to be used has identified the mobile station MS. 
In the GSM system, the mobile station is identified by using the inter- 
national mobile subscriber identity (IMSI) stored in the mobile station, or 
by using a temporary mobile subscriber identity (TMSI) formed on the 
15 basis of the subscriber identity. There is also a subscriber identification 
key Ki stored in the mobile station. This subscriber identification key Ki 
is also known to the mobile communication network. 

For ensuring that the encryption key Kc is known to the mobile sta- 
20 tion MS and the mobile communication network only, the encryption key 
is transmitted indirectly from the base station subsystem BSS to the 
mobile station MS. Thus a random access number RAND is given by 
the base station subsystem BSS and sent to the mobile station MS. 
The encryption key Kc is generated by the algorithm A8 from the ran- 
25 dom access number RAND and the subscriber identification key Ki of 
the mobile station. The calculation and storing of the encryption key Kc 
is performed both in the mobile station MS and in the mobile communi- 
cation network. 

30 At the beginning of the connection, communication between the mobile 
station MS and the base station subsystem BSS is unencrypted. The 
transfer to the encryption mode is advantageously made in a way that 
the base station subsystem BSS sends the mobile station a certain 
command (unencrypted) which in this context is called "start cipher". 

35 After the mobile station MS has received the "start cipher" command, it 
starts encryption of the messages to be transmitted and deciphering of 
received messages. In a corresponding manner, the base station sub- 
system BSS starts encryption of messages to be sent to the mobile sta- 



WO 98/28877 



PCT/FI97/00793 



tion after the base station subsystem has received an encrypted mes- 
sage sent by the mobile station and deciphered it correctly. 

Consequently, the identification and encryption information is transmit- 
5 ted one-way, from the base station subsystem to the mobile station, 
wherein the base station subsystem does not confirm that the mobile 
station MS is the correct mobile station. Also, the mobile station MS 
does not necessarily know that the messages sent from the mobile sta- 
tion MS are transmitted to the correct base station subsystem. Thus 
10 there exists the possibility that efficient calculating devices and data 
transmission device can be used to intercept messages from the 
communication between the base station subsystem BSS and the mo- 
bile station MS. 

15 It is an aim of the present invention to eliminate all the above-men- 
tioned disadvantages to a major extent and to provide a data transmis- 
sion system where the communicating parties can identify each other in 
a reliable way to prevent possible misuse. The invention is based on 
the idea that the identification is carried out in the communication both 

20 ways advantageously so that both communicating parties identify each 
other. The method of the present invention is characterized in what will 
be presented in the characterizing part of the appended Claim 1. The 
system of the present invention is characterized in what will be pre- 
sented in the characterizing part of the appended Claim 5. Further, the 

25 device of the present invention is further characterized in what will be 
presented in the characterizing part of the appended Claim 8. 

The present invention gives significant advantages to the encryption 
methods and systems of prior art. According to the invention, double- 

30 checking is performed, wherein both parties to the communication ses- 
sion can make sure that the other party is exactly the intended one. 
Thus it is not possible for outsiders to find out the content of the data to 
be transmitted and to direct the information to a wrong address. Pay- 
ment operations are made safer than by using methods and systems 

35 known at present. 

Checking can be done also during the data transmission connection, 
wherein attempts during the data transmission connection to interfere 



WO 98/28877 



10 



PCT/FI97/00793 



with the data to be transmitted can be found out and data can be pre- 
vented from falling into the hands of outsiders. 

The invention will be described in more detail in the following with ref- 
erence to the appended drawings. In the drawings, 

Fig. 1a shows a smart card, 

Fig. 1b is a reduced block diagram showing the functional structure 
of a smart card, 

Fig. 2 is a reduced diagram showing a mobile communication net- 
work known as such, 

Fig. 3 shows a communication system according to an advanta- 
geous embodiment of the invention, 

Fig. 4 is an arrow diagram showing a payment operation according 
to the invention, and 

Fig. 5 is a status chart showing identification according to the in- 
vention. 

The following example illustrates the use of the method according to 
the invention for making a order and payment of an article or service in 
the communication system shown in Fig. 3, such as the Internet data 
network. The invention can also be applied in other types of data sys- 
tems and for transmitting other types of data. 

The user makes the necessary operations with a first data transmission 
device 1 , which in this advantageous embodiment of the invention 
comprises at least a first data processor 2, such as a portable com- 
puter (PC), a first telecommunication terminal 3, which is e.g. a mobile 
station MS, such as a GSM mobile station, and a SIM module 4. The 
first data processor 2 is in data transmission connection with the first 
telecommunication terminal 3. The SIM module 4 is also in a data 
transmission connection either with the first data processor 2, the first 
telecommunication terminal 3, or both. The SIM module 4 can also be 
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part of the first telecommunication terminal 3, such as is known from 
GSM mobile -stations. The first data processor 2 and the first tele- 
communication terminal 3 shown in Fig. 3 can be either separate de- 
vices or they can be integrated as for example in the Communicator 
5 manufactured by Nokia. 

The invention will be described using the SIM module 4 as an electronic 
purse, as shown in Fig. 3, but the electronic purse can also be a charge 
card or the like. Thus, for applying the invention, the operations re- 
10 quired in the SIM module can be provided at least partly also in the 
charge card or the like. 

A second data transmission device 5 comprises advantageously a sec- 
ond data processor 6 which is e.g. a mainframe of the bank (payment 

15 server), a second telecommunication terminal 7, such as a modem, and 
a security access module (SAM) 8 for checking the user rights. The 
second data processor 6 and the second telecommunication terminal 7 
are in data transmission connection with each other for transmitting 
messages between the second data processor 6 and a communication 

20 network 11. The SAM module 8 is coupled advantageously to the sec- 
ond data processor 6. 

In the first data transmission device 1, the SIM module 4 makes the op- 
erations required for identification of the data transmission parties and 

25 also for encryption of data transmission in the data transmission de- 
vice 1 , as well as deciphers the encrypted data received from the sec- 
ond data transmission device 5. In a corresponding manner in the sec- 
ond data transmission device 5, the SAM module 8 makes the opera- 
tions required for identification of the data transmission parties and also 

30 for encryption of data transmission in the second data transmission de- 
vice 5, as well as deciphers the encrypted data received from the first 
data transmission device 1 . 

Encryption of the data to be transmitted is made advantageously by 
35 selecting an encryption algorithm A1, A2, A3, as shown in the status 
chart of Fig. 5. In the first data transmission device 1 f the encryption al- 
gorithms A1, A2, A3 are stored preferably in the SIM module 4, and in 
the second data transmission device 5 advantageously in the SAM 
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module 8. Thus the encryption algorithm A1, A2 t A3 corresponding to 
the respective stage of identification according to the invention is 
searched in the application software of the SIM module 4 and the SAM 
module 8. This is shown by the indices A1 , A2, A3 in the respective 
5 blocks in Fig. 5. The encryption key K, Kc and the data to be transmit- 
ted are used as inputs of the selected encryption algorithm A1 , A2, A3, 
wherein the encryption algorithm A1 , A2, A3 generates an encrypted 
character string (a message), which is known as such. In practical ap- 
plications of the encryption algorithm, e.g. programmable logic circuits 

10 comprising a programmed encryption algorithm can be used, or the en- 
cryption algorithm and encryption can be implemented in the application 
software of the encryption device. In a corresponding manner, also 
checking of the encrypted data and deciphering can be implemented on 
the hardware and/or software level. For verification of the encrypted 

15 data and deciphering, the same encryption key A1, A2, A3 is used as 
for encryption. The encryption key K, Kc is either the same as the one 
used for encryption, or a public encryption key. Thus the input of the al- 
gorithm comprises the encrypted data e.g. as a binary character string 
and the encryption key K, Kc. The result will be information on whether 

20 the checked data was encrypted with the correct encryption key K, Kc 
and encryption algorithm A1 , A2, A3. 

A payment operation is exemplified in an arrow chart shown in Fig. 4. 
The operations critical for safety are marked with points in the arrows. 

25 For making an order, the user starts e.g. an Internet content browser 
with the first data processor 2 and finds the www page or the like of the 
supplier of the goods or services intended. When the correct page has 
been found and a data transmission connection has been made to the 
content server of the supplier of the goods or services, the name and 

30 order are entered by the user with the first data processor 2 and 
transmitted to the content server (arrow 401). The content server 
checks the order and finds the price of the order from its service 
provider or the like (arrow 402), after which the price information is 
transmitted to the first data processor 2 (arrows 403, 404), in which ad- 

35 vantageously a paymaker shows the price information to the user and 
requests for a confirmation of order. After the confirmation of order 
(arrow 405) has been received, the price and the information of the 
supplier of the goods or services are transmitted from the content 
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server to a payment server of a bank (arrow 406). After this, the pay- 
ment operation is started advantageously by setting up a data trans- 
mission connection between the first data transmission device 1 and 
the second data transmission device 5 e.g. as a telephone connection 
5 in a situation in which the data transmission connection does not yet 
exist. In this embodiment, the second data transmission device 5 is the 
payment server of the bank. Also other known data transmission 
methods can be used, while the basic idea of the invention remains the 
same. 

10 

We shall next describe identification of data transmission devices ac- 
cording to an advantageous embodiment of the invention. This is illus- 
trated as a status chart in Fig. 5. In the same context, reference is also 
made to the arrow chart of Fig. 4. In the reference indices C1s, C1p, 

15 C2s, C2p of the check-up and verification messages, the last character 
indicates to the message source in a way that the reference indices of 
the messages formed in the first data transmission device 1 contain the 
letter s and the reference indices of the messages formed in the sec- 
ond data transmission device 5 contain the letter p. The check-up mes- 

20 sages C1s, C2p are transmitted between the data transmission de- 
vices, but the verification messages C1p, C2s are used within the re- 
spective data transmission devices to verify the correctness of the 
check-up messages. 

After the data transmission connection is formed between the data 
transmission devices 1 and 5, the second data transmission device 5 
produces a first identification message R1 advantageously in the SAM 
module 8 and sends it to the first data transmission device 1 
(arrow 407), in which advantageously a paymaker conveys the identifi- 
cation message to the SIM module 4 for processing (arrow 408). The 
first identification message R1 is advantageously a random character 
string, wherein it is different at each transmission session, which will 
further improve reliability of identification and security of data transmis- 
sion. The first identification message R1 is sent advantageously in un- 
encrypted form. In the first data transmission device 1 , the SIM mod- 
ule 4 converts the first identification message R1 to a first check-up 
message C1s by using a first encryption algorithm A1 and a first en- 
cryption key K. Further, the SIM module 4 produces a second identifi- 
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cation message R2 and converts it to a temporary encryption key Kc by 
using a second encryption algorithm A2 and a first encryption key K. 
After this, the first check-up message C1s produced by the SIM mod- 
ule, the second identification message R2 and the identification ID of 
5 the SIM module are transmitted to the second data transmission de- 
vice 5 (arrows 409, 410). The SIM module identification ID is transmit- 
ted in unencrypted form, wherein the second data transmission de- 
vice 5 can select the correct encryption key K on the basis of the SIM 
module identification ID. The SIM module identification ID can be 
10 transmitted in unencrypted form, because outsiders cannot utilize the 
code without the correct encryption key K. 

Now, the SAM module 8 of the second data transmission devices 
knows both the encryption key K and the first encryption algorithm A1. 

15 Thus the SAM module 8 makes the corresponding operation to the first 
identification message R1 as the SIM module 4, i.e. converts the first 
identification message R1 into the first check-up message C1p by using 
the encryption key K and the first encryption algorithm A1 . Because the 
operations are identical, also the result, that is the first verification mes- 

20 sage C1p and the first check-up message C1s, should be identical, if 
the starting data was the same. The SAM module 8 compares the first 
check-up message C1s sent from the first data transmission device 1 
with the first verification message C1p formed by it. If the comparison 
shows that these are identical, the SAM module 8 knows that the 

25 sender was the first data transmission device 1 , or that the data trans- 
mission connection is all right in this respect. 

Next, the SAM module 8 converts the second identification mes- 
sage R2 sent by the first data transmission device 1 into a second 

30 check-up message C2p by using the first encryption algorithm A1 and 
the encryption key K. Further, the SAM module 8 converts the second 
identification message R2 into a temporary encryption key Kc by using 
the second encryption algorithm A2 and the first encryption key K. The 
price information on the article or service ordered, and the address in- 

35 formation of the supplier of said article or service are transmitted to the 
first data transmission device 1 advantageously in encrypted form. For 
encryption, the SAM module 8 uses a third encryption algorithm A3 and 
a temporary encryption key Kc formed by it. The second data 
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transmission device 5 sends then the price information and the address 
information in encrypted form as well as the second check-up mes- 
sage C2p to the first data transmission device 1 (arrows 41 1 , 412). 

* 5 The first data transmission device 1 uses the second identification 
message R2 produced by the SIM module 4 for producing the second 
verification message C2s by using the first encryption algorithm A1 and 
the encryption key K. Consequently, the SIM module 4 makes the cor- 
responding operation to the second identification message R2 as the 

10 SAM module 8, wherein the result, i.e. the second check-up mes- 
sage C2p and the second verification message C2s, should be identi- 
cal, if the starting data was the same. After receiving the second check- 
up message C2p sent by the second data transmission device 5, the 
SIM module 4 compares it with the second verification message C2s 

15 produced by it. If the result of the comparison is identical to the SIM 
module 4 f the SIM module 4 knows that the transmitter was the second 
data transmission device 5. After this the SIM module deciphers the re- 
ceived price and address information by using the third encryption al- 
gorithm A3 and the temporary encryption key Kc. Now that both parties 

20 of the data transmission are identified, the order can be paid. 

In connection with the payment operation, the SIM module checks that 
the sum of money contained in the SIM module 4 is sufficient for mak- 
ing the payment. If there is not sufficiently money loaded in the SIM 

25 module 4, the payer can be given an error message for example on the 
display 9 of the first data transmission device or on the display 10 of the 
first data processor. If there is sufficiently money stored in the SIM 
module 4, the sum to be paid is reduced from the money account of the 
card. The SIM module 4 sends the payment and the identification pa- 

30 rameters, encrypted with the third encryption algorithm A3 and the tem- 
porary encryption key Kc, to the second data transmission device 5 
(arrows 413, 414). The identification parameters used can be for ex- 
ample the payer identification and password for securing that the sent 
message and the message received by the second data transmission 

35 device 5 come from the correct SIM module and that the money is le- 
gal. 
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In connection with the payment, the payment server of the bank 
transmits an acknowledgement for the payment to the first data trans- 
mission device t (arrow 41 5), in which the acknowledgement is trans- 
mitted to the SIM module 4 (arrow 416). 

5 

The bank payment server sends information on the payment also to the 
content server (arrow 417). Next, the content server sends the informa- 
tion on the order (e.g. the order number) to the user to the content 
browser for display of the information (arrow 418). The acknowledge- 
10 ment of receipt of the information by the user is transmitted to the 
content server (arrow 419) and to the payment server (arrow 420). The 
content server sends still an acknowledgement of the transmission of 
the order and payment data via the paymaker (arrow 421) to the SIM 
module (arrow 422). 

15 

Next, the payment server makes the payment in encrypted form to the 
bank account of the supplier of the article or services, as shown by ar- 
row 423. An acknowledgement of the giro transfer is further sent to the 
payment server (arrow 424). The order is now received and the pay- 
20 ment made. 

In the encryption method according to the invention, the encryption 
key K is required which is linked to the SIM module identification ID. 
The second data transmission device 5 comprises a data file in which 

25 the identifications ID of the SIM modules connected with the system 
and the corresponding encryption keys K are stored, wherein the sec- 
ond data transmission device 5 is capable of finding out each encryp- 
tion key K used on the basis of the received SIM module identifica- 
tion ID. Further the method according the invention uses advanta- 

30 geously three encryption algorithms A1 , A2, A3. The system implement- 
ing the method of the invention is very safe, because the encryption 
key K and the encryption algorithms A1 , A2, A3 are never transmitted 
via the data network but they are stored in the second data transmis- 
sion device 5 as well as in the SIM module 4 for example in connection 

35 with manufacturing of the SIM module card. 

The encryption keys K, Kc, the encryption algorithms A1 , A2, A3, the 
identification messages R1, R2, the check-up messages C1s, C2p, as 



WO 98/28877 



17 



PCT/FI97/00793 



well as the verification messages C1p, C2s, and their form, each de- 
pend on the application to be used. Typically, digital data transmission 
systems utilize binary digit strings, whose length is selected according 
to the use and the properties of the system, e.g. to be divisible by 8 or 
5 16, which is known to an expert in the art. 

Although the invention was described above to secure payment opera- 
tions, the invention can also be advantageously applied for securing 
communication, wherein the method works substantially in the manner 

10 described above. Thus, instead of or in addition to price and address 
information, data is transmitted which is encrypted with the said encryp- 
tion key Kc and encryption algorithm A3. Identification of the parties to 
the data transmission is conducted two ways with the encryption key K, 
the first encryption algorithm A1 and the two identification messages R1 

15 and R2. The data are transmitted advantageously in packets, wherein 
in connection with the reception of each packet it can be verified that 
the packet was sent from the correct sender. 

The invention is not limited solely to the above-mentioned embodiments 
20 but it can be modified within the scope of the appended claims. 
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Claims : 

1 . Method for identification of a data transmission device (1,5) 
in a data transmission system, wherein a data transmission connection 
is formed between at least a first (1) and a second data transmission 
device (5) and the identification is conducted two ways, wherein the 
second data transmission device (5) identifies the first data transmis- 
sion device (1) and the first data transmission device (1) identifies the 
second data transmission device (5), in which method the identification 
comprises at least the following steps: 

generating at least one identification message (R1, R2), 
transmission of said identification message (R1, R2) between the 
data transmission devices (1 , 5), 

generating a check-up message (C1s, C2p) of said identification 
message (R1 , R2) in the receiving data transmission device (1 , 5), 
sending said check-up message (C1 s, C2p) to the data 
transmission device (1 , 5) which sent the identification mes- 
sage (R1 , R2), in which 

a verification message (C1 p, C2s) is generated, with which the 
received check-up message (C1s, C2p) is compared, 
characterized in that the identifications (ID) of the first data 
transmission devices (1) that can be linked to the data transmission 
system as well as the corresponding encryption keys (K) are stored in 
the second data transmission device (5), wherein the encryption key (K) 
to be used in generating the check-up message (C1s, C2p) and the 
verification message (C1p, C2s) is selected on the basis of the 
identification (ID) of the first data transmission device (1) that is used in 
the data transmission connection at the time. 

2. Method according to Claim 1 , characterized in that the 
identification comprises at least the following steps: 

generating the first identification message (R1) at the second data 
transmission device (5), 

transmission of said identification message (R1) from the second 
data transmission device (5) to the first data transmission 
devjce (1), 

generating the first check-up message (C1 s) in the first data 
transmission device (1), 
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transmission of said check-up message (C1s) to the second data 
transmission device (5), in which 

the encryption key (K) is selected on the basis of the received 

identification (ID) of the first data transmission device (1), 

the first verification message (C1p) is generated, with which the 

received check-up message (C1s) is compared, 

the second identification message (R2) is generated at the first 

data transmission device (1), 

said identification message (R2) is sent from the first data 
transmission device (1) to the second data transmission 
device (5), 

the second check-up message (C2p) is generated at the second 
data transmission device (5), and 

said check-up message (C2p) is sent to the first data transmission 
device (1), in which 

the second verification message (C2s) is generated, with which 
the received check-up message (C2p) is compared. 

3. Method according to Claim 1 or 2, characterized in that an 
encryption algorithm (A1) and an encryption key (K) are selected, 
wherein the first check-up message (C1s) is generated from the first 
identification message (R1) by using the encryption algorithm (A1) and 
the encryption key (K), and that the second check-up message (C2p) is 
generated from the second identification message (R2) by using the en- 
cryption algorithm (A1) and the encryption key (K). 

4. Method according to Claim 1, 2 or 3, characterized in that 
the second identification message (R2), the first check-up 
message (C1s) and the second verification message (C2s) are 
generated in a smart card, such as a SIM module (4), arranged in the 
first data transmission device (1). 

5. Data transmission system comprising means (3, 7, 12) for 
generating a data transmission connection between at least a first (1) 
and a second data transmission device (5), in which system the data 
transmission devices (1 , 5) are arranged to be identified two ways, 
wherein the first data transmission device (1) comprises means for 
identifying the second data transmission device (5) and the second 
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data transmission device (5) comprises means for identifying the first 
data transmission device (1), and which identification means comprise: 
means (4, 8) for generating at least one identification mes- 
sage (R1, R2), 

means (3, 7) for transmitting said identification message (R1 , R2) 
between the data transmission devices (1, 5), 
means (3, 7) for generating a check-up message (C1s, C2p) in the 
data transmission device (1, 5) receiving said identification 
message (R1 , R2), and 

means (4, 8) for sending said check-up message (C1s, C2p) to the 
data transmission device (1, 5) that sent the identification 
message (R1, R2), comprising means (4, 8) for generating a 
verification message (C1p, C2s) and means (4, 8) for comparing 
the verification message (C1p, C2s) and the received check-up 
message (C1s, C2p), 
characterized in that the second data transmission device (5) 
comprises further means for storing the identifications (ID) of the first 
data transmission devices (1) and the corresponding encryption 
keys (K), wherein the encryption key (K) is arranged to be selected on 
the basis of the identification (ID) of the first data transmission device 
(1) being used at the time. 

6. System according to Claim 5, characterized in that the 

means for identification of the first data transmission device (1) com- 
prise: 

means (8) for generating the first identification message (R1), the 
second check-up message (C2p) and the first verification 
message (C1p), 

means (7) for sending said first identification message (R1) and 
the second check-up message (C2p) to the first data transmission 
device (1), 

means (7) for receiving the first check-up message (C1s) of the 
second identification message (R2) and the identification (ID) of 
the first data transmission device (1), 

means (8) for selecting the encryption key (K) on the basis of the 
identification (ID) of the first data transmission device (1), and 
means (8) for comparing the first check-up message (C1s) and the 
first verification message (C1p), 



WO 98/28877 



21 



PCT7F197/00793 



and that the means for identification of the second data transmission 

device (5) comprise: 

means (4) for generating the second identification message (R2), 
the first check-up message (C1s) and the second verification 
message (C2s), 

means (3) for sending said second identification message (R2) 
and the first check-up message (C1s) to the second data 
transmission device (5), 

means (3) for receiving the first identification message (R1) and 
the second check-up message (C2p), and 

means (4) for comparing the second check-up message (C2p) and 
the second verification message (C2s). 

7. System according to claim 5 or 6, characterized in that the 
means (4) for generating the second identification message (R2), the 
first check-up message (C1s) and the second verification mes- 
sage (C2s) comprise a smart card, such as a SIM module (4). 

8. Data transmission device (1, 5), such as a mobile station, 
comprising: 

means (4) for storing the identification (ID) of the data 
transmission device (1), 

means (4) for generating an identification message (R1, R2), 
means (3) for transmitting said identification message (R1, R2), 
means (3) for receiving a check-up message (C1s, C2p) gener- 
ated on the basis of the transmitted identification message (R1), 
and 

means (4) for generating a verification message (C1p, C2s) on the 
basis of the received check-up message (C1s, C2p), 
characterized in that it comprises further means (3) for transmitting 
the identification (ID) of the data transmission device (1) to a second 
data transmission device (5), wherein in the second data transmission 
device (5) the encryption key (K) is arranged to be selected on the ba- 
sis of the identification (ID) of the first data transmission device (1). 
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